2-9
Installing Management Center for Cisco Security Agents 5.2
78-17916-01
Chapter 2 Deployment Planning
Policy Tuning and Troubleshooting
logging the behavior of the rules used by members of the Administrator
group. Monitor policies can be used in clever ways to focus in on specific
behavior without interrupting applications and services.
• Set up separate agent kits to support the different features of your pilot. For
example, you might have some desktop kits that have all policies in test
mode, some desktop kits with a basic set of well-tested policies in live mode
plus one experimental policy in test mode, and so forth. Labelling these kits
clearly will help your pilot participants download the right set of policies you
want to test and give you clear feedback on areas needing improvement.
There are two general approaches to policy creation, and the approach you choose
affects how you tune and troubleshoot the policies:
• Using the supplied Desktop and Server group policies plus a few
application-specific policies. In this scenario, you attach each participating
host to the following groups:
–
<All <platform>>
–
Desktops - All types or Servers - All types
–
A task-specific group, such as Servers - Apache Web Servers or
Servers - SQL Server 2000
Then, you attach each group to the following policies:
–
A Virus Scanner policy. CSA supplies policies for Norton, McAfee, and
Trend antivirus software. If you are using a different antivirus product,
you might need to use the generic Virus Scanner policy, or clone it and
make modifications to suit your virus scanner application.
–
An Installation Applications policy. CSA supplies installation software
policies for Windows, Linux, and Solaris.
Note If you do not attach antivirus and installation policies to each
participating group of hosts, the CSA event logs will contain a large
number of false positives, making it difficult to manage the pilot.
After attaching the Desktop and Server groups, Virus Scanner policy, and
Installation Application policy, you are ready to create agent kits, start the
pilot, examine the event log, and stage the next policy additions. For example,
if you have a prioritized list of applications to protect, start with the first on
the list, use the Analysis -> Application Behavior Investigation tool to
